Cyber Resilience

CVE-2026-21511

HighRCE

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0364 88.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21511 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21511 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft Office Outlook. Published on 2026-02-10T18:16:33.337, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue enables an unauthorized attacker to perform spoofing over a network through processing untrusted data.

The vulnerability can be exploited by any unauthorized attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows the attacker to achieve spoofing, with a high impact on confidentiality but no impact on integrity or availability.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21511.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

Deserialization flaw in Outlook directly enables email spoofing attacks over the network with no user interaction required.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40367Same product: Microsoft 365 Apps
CVE-2025-47994Same product: Microsoft 365 Apps
CVE-2026-20948Same product: Microsoft 365 Apps
CVE-2025-21364Same product: Microsoft 365 Apps
CVE-2025-53733Same product: Microsoft 365 Apps
CVE-2025-24079Same product: Microsoft 365 Apps
CVE-2026-40364Same product: Microsoft 365 Apps
CVE-2026-40361Same product: Microsoft 365 Apps
CVE-2026-40366Same product: Microsoft 365 Apps
CVE-2026-26113Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
office
2019
microsoft
office long term servicing channel
2021, 2024
microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19127.20518
microsoft
word
2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific deserialization flaw in Microsoft Office Outlook by requiring timely identification, reporting, and patching.

prevent

Validates untrusted network inputs to Outlook prior to deserialization, preventing exploitation of CWE-502 for spoofing.

prevent

Implements memory protections such as DEP and ASLR to block unauthorized code execution from deserialization of untrusted data.

References